Thanks for the quick incident report and the quick proposed fix. However, I feel like there is a lack of detail in some specific areas, notably, why did it take a third party report specifically targeted towards Disig for this to be discovered? I'd like to know what Disig is doing to monitor incidents posted here on Bugzilla, as well as threads posted on m.d.s.p. Bug 1705480 was opened 2 months ago about SECOM having this exact same issue. Why did Disig not read that bug and then check their own CPS to make sure it complied with the MSRP? If Disig missed that bug, then they still had the chance to evaluate their CPS before this bug was opened, when Corey started [this thread](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/CDal5qSIYvE) roughly a month later on m.d.s.p. This seems like a pretty significant failure from a CA as they have failed to monitor bugs posted both to Bugzilla and m.d.s.p. and have failed to evaluate their own infrastructure to see if it affected them. Can you explain how you missed these two early warning signs, and what Disig is going to do to minimise risk in the future? Not just related to this specific issue, but to other issues which may be posted here which could affect Disig too.
Bug 1717001 Comment 3 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Thanks for the quick incident report and the quick proposed fix. However, I feel like there is a lack of detail in some specific areas, notably, why did it take a third party report specifically targeted towards Disig for this to be discovered? I'd like to know what Disig is doing to monitor incidents posted here on Bugzilla, as well as threads posted on m.d.s.p. Bug 1705480 was opened 2 months ago about SECOM having this exact same issue. Why did Disig not read that bug and then check their own CPS to make sure it complied with the MRSP? If Disig missed that bug, then they still had the chance to evaluate their CPS before this bug was opened, when Corey started [this thread](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/CDal5qSIYvE) roughly a month later on m.d.s.p. This seems like a pretty significant failure from a CA as they have failed to monitor bugs posted both to Bugzilla and m.d.s.p. and have failed to evaluate their own infrastructure to see if it affected them. Can you explain how you missed these two early warning signs, and what Disig is going to do to minimise risk in the future? Not just related to this specific issue, but to other issues which may be posted here which could affect Disig too.